Proxy based adaptive two factor authentication having automated enrollment

Abstract

A method of and system for adding strong authentication to an existing network based application. A proxy based monitoring process screens data sent to and from a client application and intercepts login requests. These intercepted requests are redirected to an authentication process which first checks to see if the user logging in has enrolled in strong authentication. If not enrolled, the user is allowed to continue with a normal login. If enrolled, the user is authenticated by requesting digital identification data, such as a digital certificate, from the user's computer. If authentication succeeds, the user is allowed to proceed on to the normal login process. If authentication fails, the login attempt is blocked. User enrollment is automated, requiring no user interaction beyond the initial request. Verification for purposes of issuing a digital certificate, or other identifying data, is by means of confirming that the user being enrolled is currently logged in to the client application.

Description

BACKGROUND OF THE INVENTION [0001] 1. Field of the Invention [0002] The present invention relates to the field of entity authentication and specifically to authentication of users attempting to access a network accessible resource. Even more specifically it relates to such authentication methods and / or systems which automatically enroll users for a strong authentication method. [0003] 2. Background Information [0004] The conventional architecture of a network based application, as shown in FIG. 10, is now well known. The application server, 204, hosts the application and provides related services to distributed users such as user 200, via the network, 202. One major concern in such an environment is authenticating the identity of the user and specifically validating that the user has the claimed identity and is authorized to use or access the provided services. While the network in question is often the Internet, this is not required, either in general or for the present invention. ...

AI Technical Summary

Benefits of technology

[0019] The advantages of such a method and apparatus are simplified enrollment by the user, simplified addition of authentication to an existing application, and transparent authentication once the user is enrolled.

Problems solved by technology

Such methods are subject to a variety of well known attacks and provide only limited security.

While the use of a PKI scheme, and digital certificates specifically, for strong authentication, is well known and relatively straight forward, the process of obtaining the certificates for use is sufficiently complex as to deter their use.

The process involves manual processing on the part of both the user and the Registration Authority and can involve delays while the request is reviewed and approved.

However, it is not widely utilized due in large part to the complexity and inconvenience involved.

The complexity typically occurs on the application side.

While API toolkits are provided for many PKI systems, significant effort is still required to implement the functionality required to provide certificate based authentication.

Accompanying this complexity is the expense associated with such an implementation and subsequent maintenance.

Inconvenience is found primarily on the user side.

Images